[PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

* [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo
@ 2020-11-19 11:50 Laszlo Ersek
  2020-11-19 11:50 ` [PATCH RESEND 1/1] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer sizes Laszlo Ersek
  2020-11-21  2:07 ` [edk2-devel] [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek
  0 siblings, 2 replies; 3+ messages in thread
From: Laszlo Ersek @ 2020-11-19 11:50 UTC (permalink / raw)
  To: edk2-devel-groups-io
  Cc: Dandan Bi, Hao A Wu, Jian J Wang, Liming Gao,
	Philippe Mathieu-Daudé

Repo:   https://pagure.io/lersek/edk2.git
Branch: tianocore_1816_resend
Ref:    https://bugzilla.tianocore.org/show_bug.cgi?id=1816

"RESEND" because I'm publicly posting the patch from
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c9>.

The Reviewed-by tags on the patch originate from
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c12> and
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c17>.

Repeated the simple regression test at
<https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c10>.

This series targets edk2-stable202011. I plan to merge it later this
week, based on Liming's R-b.

Liming, highlighting TianoCore#1816 in the "proposed features" list
could be useful.

Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>

Thanks!
Laszlo

Laszlo Ersek (1):
  MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer
    sizes

 MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++
 MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c            | 7 +++++++
 2 files changed, 12 insertions(+)

-- 
2.19.1.3.g30247aa5d201


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH RESEND 1/1] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer sizes
  2020-11-19 11:50 [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek
@ 2020-11-19 11:50 ` Laszlo Ersek
  2020-11-21  2:07 ` [edk2-devel] [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek
  1 sibling, 0 replies; 3+ messages in thread
From: Laszlo Ersek @ 2020-11-19 11:50 UTC (permalink / raw)
  To: edk2-devel-groups-io
  Cc: Dandan Bi, Hao A Wu, Jian J Wang, Liming Gao,
	Philippe Mathieu-Daudé

The LzmaUefiDecompressGetInfo() function
[MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c] currently
silently truncates the UINT64 "DecodedSize" property of the compressed
blob to the UINT32 "DestinationSize" output parameter.

If "DecodedSize" is 0x1_0000_0100, for example, then the subsequent memory
allocation (for decompression) will likely succeed (allocating 0x100 bytes
only), but then the LzmaUefiDecompress() function (which re-fetches the
uncompressed buffer size from the same LZMA header into a "SizeT"
variable) will overwrite the buffer.

Catch (DecodedSize > MAX_UINT32) in LzmaUefiDecompressGetInfo() at once.
This should not be a practical limitation. (The issue cannot be fixed for
32-bit systems without spec modifications anyway, given that the
"OutputSize" output parameter of
EFI_GUIDED_SECTION_EXTRACTION_PROTOCOL.ExtractSection() has type UINTN,
not UINT64.)

Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1816
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
 MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++
 MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c            | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
index 26f110ba2a12..fbafd5f10055 100644
--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
+++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
@@ -9,6 +9,7 @@
 #ifndef __LZMADECOMPRESSLIB_INTERNAL_H__
 #define __LZMADECOMPRESSLIB_INTERNAL_H__
 
+#include <Base.h>
 #include <PiPei.h>
 #include <Library/BaseLib.h>
 #include <Library/BaseMemoryLib.h>
@@ -45,6 +46,10 @@
                           in DestinationSize and the size of the scratch
                           buffer was returned in ScratchSize.
 
+  @retval RETURN_UNSUPPORTED  DestinationSize cannot be output because the
+                              uncompressed buffer size (in bytes) does not fit
+                              in a UINT32. Output parameters have not been
+                              modified.
 **/
 RETURN_STATUS
 EFIAPI
diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
index c58912eb6a45..8f7c242dcaa8 100644
--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
+++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
@@ -127,6 +127,10 @@ GetDecodedSizeOfBuf(
                           in DestinationSize and the size of the scratch
                           buffer was returned in ScratchSize.
 
+  @retval RETURN_UNSUPPORTED  DestinationSize cannot be output because the
+                              uncompressed buffer size (in bytes) does not fit
+                              in a UINT32. Output parameters have not been
+                              modified.
 **/
 RETURN_STATUS
 EFIAPI
@@ -142,6 +146,9 @@ LzmaUefiDecompressGetInfo (
   ASSERT(SourceSize >= LZMA_HEADER_SIZE);
 
   DecodedSize = GetDecodedSizeOfBuf((UINT8*)Source);
+  if (DecodedSize > MAX_UINT32) {
+    return RETURN_UNSUPPORTED;
+  }
 
   *DestinationSize = (UINT32)DecodedSize;
   *ScratchSize = SCRATCH_BUFFER_REQUEST_SIZE;
-- 
2.19.1.3.g30247aa5d201


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [edk2-devel] [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo
  2020-11-19 11:50 [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek
  2020-11-19 11:50 ` [PATCH RESEND 1/1] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer sizes Laszlo Ersek
@ 2020-11-21  2:07 ` Laszlo Ersek
  1 sibling, 0 replies; 3+ messages in thread
From: Laszlo Ersek @ 2020-11-21  2:07 UTC (permalink / raw)
  To: edk2-devel-groups-io
  Cc: Dandan Bi, Hao A Wu, Jian J Wang, Liming Gao,
	Philippe Mathieu-Daudé

On 11/19/20 12:50, Laszlo Ersek wrote:
> Repo:   https://pagure.io/lersek/edk2.git
> Branch: tianocore_1816_resend
> Ref:    https://bugzilla.tianocore.org/show_bug.cgi?id=1816
> 
> "RESEND" because I'm publicly posting the patch from
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c9>.
> 
> The Reviewed-by tags on the patch originate from
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c12> and
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c17>.
> 
> Repeated the simple regression test at
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1816#c10>.
> 
> This series targets edk2-stable202011. I plan to merge it later this
> week, based on Liming's R-b.
> 
> Liming, highlighting TianoCore#1816 in the "proposed features" list
> could be useful.
> 
> Cc: Dandan Bi <dandan.bi@intel.com>
> Cc: Hao A Wu <hao.a.wu@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
> 
> Thanks!
> Laszlo
> 
> Laszlo Ersek (1):
>   MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer
>     sizes
> 
>  MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++
>  MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c            | 7 +++++++
>  2 files changed, 12 insertions(+)
> 

Merged as commit e7bd0dd26db7, via
<https://github.com/tianocore/edk2/pull/1138>.

Thanks,
Laszlo


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-11-21  2:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-19 11:50 [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek
2020-11-19 11:50 ` [PATCH RESEND 1/1] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed buffer sizes Laszlo Ersek
2020-11-21  2:07 ` [edk2-devel] [PATCH RESEND 0/1] security fix: possible heap corruption with LzmaUefiDecompressGetInfo Laszlo Ersek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox